OPINION: Who You Callin' An "Expert?!

Recently, someone called me an "expert". While I was extremely flattered, it made me think a lot about my initial reaction to that label. If you've been in this field, you will note there are several people who go around calling themselves "experts". A few of them are and a lot of them aren't. Most of my introspection was with where I saw myself and how I allowed others to see me.  Am I an "expert" or a guy who likes to talk a lot about security?

The answer to both of those is a paradox of sorts, as they are equally complicated and simple. According to some, being an "expert" means knowing a lot of stuff about security and sounding half-way intelligent about that stuff. Some would argue I fit into that category. While I hope I'm not, I certainly can understand how people can see me that way. Many people know a lot of stuff about a lot of stuff and "talk a good game" but lack real depth in their knowledge or experience. So, I can help but wonder, with 10 years of doing various jobs in security, a blog, and some above-basic knowledge, where does that place me? I'm also very passionate about security. Does passion, knowledge, and an audience make someone an "expert" and should I even want to be considered one?

When I first decided to start this blog, I did it with the intention of sharing security news and information with my audience. It soon became an opportunity to share my opinions and insight. While all that was very important, I always felt I needed something more constructive. There are tons of people all over social media and the rest of the Net who believe the "smarter" you sound, the greater your expertise. I have found a great deal of those people lack expertise and oftentimes, real knowledge of the subject matter. Don't get me wrong. I'm guilty of this as well at times. Very guilty, as a matter of fact.

So what am I? I'm a student of security in both the literal sense and the rhetorical as well. I'm eager and willing to learn from anywhere. I'm not afraid to test an idea or hypothesis in the field or be reviewed by my peers. Sometimes, what I say and do sucks. I get stuff wrong - A LOT. My ideas may not be preferred or have any chance of success. Occasionally, I don't stay in my lane. Okay. I can hear you laughing. I don't stay in my lane enough at times.

So how do I go about fixing this? I decided to start changing how I viewed my interactions with people and the objectives I set for them. In other words, I felt it was less important to demonstrate knowledge than it was to receive and learn from others. I had been afforded an opportunity to label myself as an "expert" many times. It always felt hollow and empty, as if it was undeserved. After all, I was a security guard not too long ago and I had very average experiences in the military. I wasn't Special Forces or with a federal agency doing anything "special". My resume is a reflection of being very lucky and being at the right place at the right time. I did a lot of cool things and saw some cool places in this world. But was I an "expert"? No, I am not.

Too many "experts" are not willing to admit they are in fact still learning. Too many believe it is more important to demonstrate knowledge than to receive it. Too many believe the best analysis of a problem is the one that is more conducive to a "solution" they've created. Instead of more people willing to tell us about security, we need more people willing to sit down, shut up, and listen to what others have to share. From now on, I'll be sharing my knowledge in an attempt to learn more than I teach. The only question left to ask is "Will I be alone?"

Terrorism and Intelligence Legislation You Should Know About But Don't

Now that this NSA story has spawned the insane amount of nonsensical and baseless conjecture on my Twitter feed, I thought I'd take a moment and educate everyone on intelligence and terrorism legislation they should already know about but don't for various reasons.

Terrorism:

• Biological Weapons Anti-Terrorism Act of 1989
• Executive Order 12947 signed by President Bill Clinton Jan. 23, 1995, Prohibiting Transactions With Terrorists Who Threaten To Disrupt the Middle East Peace Process, and later expanded to include freezing the assets of Osama bin Laden and others.
• Omnibus Counterterrorism Act of 1995
• US Antiterrorism and Effective Death Penalty Act of 1996 (see also the LaGrand case which opposed in 1999-2001 Germany to the US in the International Court of Justice concerning a German citizen convicted of armed robbery and murder, and sentenced to death)
• Executive Order 13224, signed by President George W. Bush Sept. 23, 2001, among other things, authorizes the seizure of assets of organizations or individuals designated by the Secretary of the Treasury to assist, sponsor, or provide material or financial support or who are otherwise associated with terrorists. 66 Fed. Reg. 49,079 (Sept. 23, 2001).
• 2001 Uniting and Strengthening America by Providing Appropriate Tools for Intercepting and Obstructing Terrorism Act (USA PATRIOT Act)(amended March 2006) (the Financial Anti-Terrorism Act was integrated to it) - I don't have enough energy to discuss the Patriot Act. All you need to know is that it gives the US government very broad powers in order to combat terrorism.
• Homeland Security Act of 2002, Pub. L. 107-296.
• Support Anti-Terrorism by Fostering Effective Technologies Act (SAFETY Act) of 2002
• REAL ID Act of 2005 - Perhaps one of the most controversial pieces of legislation from the Bush era, it set forth certain requirements for state driver's licenses and ID cards to be accepted by the federal government for "official purposes", as defined by the Secretary of Homeland Security. It also outlines the following: 
• Title II of the act establishes new federal standards for state-issued driver licenses and non-driver identification cards.
• Changing visa limits for temporary workers, nurses, and Australian citizens.
• Funding some reports and pilot projects related to border security.
• Introducing rules covering "delivery bonds" (similar to bail bonds but for aliens who have been released pending hearings).
• Updating and tightening the laws on application for asylum and deportation of aliens for terrorist activity.
• Waiving laws that interfere with construction of physical barriers at the borders
• Animal Enterprise Terrorism Act of 2006 - The Animal Enterprise Terrorism Act (AETA) prohibits any person from engaging in certain conduct "for the purpose of damaging or interfering with the operations of an animal enterprise." and extends to any act that either "damages or causes the loss of any real or personal property" or "places a person in reasonable fear" of injury. 
• Military Commissions Act of 2006 - The United States Military Commissions Act of 2006, also known as HR-6166, was an Act of Congress signed by President George W. Bush on October 17, 2006. The Act's stated purpose was "To authorize trial by military commission for violations of the law of war, and for other purposes." It was declared unconstitutional by the Supreme Court in 2008 but parts remain in order to use commissions to prosecute war crimes.
• National Defense Authorization Act of 2012 - The second most controversial piece of legislation from the War on Terror authorizes "the President to use all necessary and appropriate force pursuant to the Authorization for Use of Military Force (Public Law 107-40; 50 U.S.C. 1541 note) includes the authority for the Armed Forces of the United States to detain covered persons (as defined in subsection (b)) pending disposition under the law of war.
  (b) Covered Persons- A covered person under this section is any person as follows:
  (1) A person who planned, authorized, committed, or aided the terrorist attacks that occurred on September 11, 2001, or harbored those responsible for those attacks.
  (2) A person who was a part of or substantially supported al-Qaeda, the Taliban, or associated forces that are engaged in hostilities against the United States or its coalition partners, including any person who has committed a belligerent act or has directly supported such hostilities in aid of such enemy forces.
  (c) Disposition Under Law of War- The disposition of a person under the law of war as described in subsection (a) may include the following:
  (1) Detention under the law of war without trial until the end of the hostilities authorized by the Authorization for Use of Military Force.
  (2) Trial under chapter 47A of title 10, United States Code (as amended by the Military Commissions Act of 2009 (title XVIII of Public Law 111-84)).
  (3) Transfer for trial by an alternative court or competent tribunal having lawful jurisdiction.
  (4) Transfer to the custody or control of the person’s country of origin, any other foreign country, or any other foreign entity.
  (d) Construction- Nothing in this section is intended to limit or expand the authority of the President or the scope of the Authorization for Use of Military Force.
  (e) Authorities- Nothing in this section shall be construed to affect existing law or authorities relating to the detention of United States citizens, lawful resident aliens of the United States, or any other persons who are captured or arrested in the United States.
  (f) Requirement for Briefings of Congress- The Secretary of Defense shall regularly brief Congress regarding the application of the authority described in this section, including the organizations, entities, and individuals considered to be ‘covered persons’ for purposes of subsection (b)(2).
• Homeland Security Presidential Directive/HSPD-5 requires all federal and state agencies establish response protocols for critical domestic incidents in line with the National Incident Management System.

Intelligence

• Foreign Intelligence Surveillance Act is perhaps the most interesting and secretive of laws we have. It was enacted to combat the threat of foreign intelligence services through surveillance activities abroad and at home. It allows these broad surveillance powers to be used against foreign and domestic agents. In other words, it authorizes our government to spy on its citizens if it believes they present a credible national security threat. FISA warrants are granted by secret courts that exist solely for approving FISA warrants. Note: I said "approving" as in for every warrant the DoJ has ever applied for, they have gotten it. Nowhere else in our judicial system do such powers exist.
• Intelligence Reform and Terrorism Prevention Act of 2004 enacted several of the 9/11 Commission's recommendations. It established the the Office of the Director of National Intelligence.
• 18 USC § 798 - Disclosure of classified information - Criminalizes the unauthorized disclosure of classified information.
• 50 USC § 421 - Protection of identities of certain United States undercover intelligence officers, agents, informants, and sources - Think Valerie Plame.

How CARVER And Site Surveys Can Better Protect Your Assets (and your rear) + [VIDEO]

USAF Security Forces members conducting a site survey (Source: USAF)

"Come on, dude. It's Idaho! No one is ever going to attack us" was a common talking point at my first duty station in the military. It can be difficult when you spend everyday near multi-million dollar aircraft to see their strategic importance particularly when they're located in the "middle of nowhere". Sadly, before 9/11, this attitude was more commonplace than some would care to admit. Nowhere was that more apparent than our original perimeter fence which consisted of two rusted barbed wires, humongous decorative rocks, and almost nonexistent perimeter patrols. On September 11, 2001, the way we and countless other military bases thought of security changed. The base's security posture changed within hours and our "sleepy" installation soon seemed better fitted in Tel Aviv than Idaho. As time went on, that posture too changed. However, a process was adopted to address the dynamic security environment.

One of my jobs in the military was as the Non-Commissioned Officer In-Charge of Physical Security. In short, I managed the physical security program which provided protection for all of the military base's critical weapon systems and their support elements. A key component to that job was conducting various site surveys to evaluate the security already in-place and to make recommendations as to what could be done to enhance it and to address any deviations from accepted security protocols. Basically, I ran around the base thinking of ways I could break and steal things. Over time, I got to be pretty good at seeing what I later called the "security landscape" from my adversary's point-of-view. A good security practitioner does this in a few ways.

• Knowing the threat
• Knowing the importance of the asset
• Talk to subject matter experts regarding the asset
• Knowing the existing defensive measures for the asset
• Knowing what the accepted security practices were for the asset
• Examining the asset and its defensive measures in person
• Testing those measures with exercises using probable attack patterns

This methodology is not new. Site surveys have been around since before Roman times. Supposedly, Caesar would conduct special patrols of his defenses. When he would catch soldiers without their shields or being proactive, they were dealt with severely. Today, many in the public and private sector use what's commonly referred to as the CARVER model which was originally developed as a targeting tool for used by US Special Operations Forces to quickly and thoroughly analyze enemy critical infrastructure to identify a critical node against which a small well-trained force can launch an attack to disable or destroy that infrastructure. CARVER uses a matrix to determine the likelihood of an attack based on several factors:

• Criticality
• Accessibility
• Recuperability
• Vulnerability
• Effect
• Recognizability

Here's a model of that matrix:

I can't stress enough the need to actually see the asset and the area around it in order to make a proper assessment. To do this, you must first go in looking at every conceivable attack venue whether it be cyber or an intrusion. Get a tour and walk around. Next, talk to the experts to determine what's critical to the assets operation. Next, look at similar attacks on similar assets. Then determine how an untrained and a skilled attacker would approach the target. Identify surveillance locations, chokepoints, and avenues of approach. Look for existing defensive measures. Are they adequate? Are they outdated? Finally, sit down and do the most dreaded part of this job - make a report to the decisionmankers. 

In the video below, you'll see a counterintelligence site survey being depicted in the Cold War. It's interesting to see the similarities behind my approach and theirs. Would you do something different?

Security Officer vs Rent-A-Cop - Knowing the Difference Could Be Life or Death

"You're just a rent-a-cop", they said as I chased them from one end of the property to another. These particular trespassers had breached our property before and were stealing bikes from residents while they slept. But this day, I would not let them escape. As we got to the rear of the property, a large concrete wall appeared separating the property I was protecting and an adjacent housing area. Darn it. They were going to get away. I watched them scale that fence like the little, juvenile delinquent ninjas I knew them to be. The last one looked at me as he climbed the wall and yelled "Man, how can you be a rent-a-cop and live with yourself?. He then tossed several oranges at me and laughed. This was a weekly occurrence, as school recessed. That night, we lost an officer in the line of duty at another property doing the same thing I was doing.

I have countless stories like this from my time as a security officer. They all taught me a very valuable lesson - there is no such thing as a "rent-a-cop" or a guard. What security officers do and what they're responsible for requires a professional attitude and reception from both the people they protect and the public at large. However, that does not happen in the age where those who work security are often viewed as "wanna-be's", "rent-a-cops", "flashlight cops", and guards. We've all done it. I did it too. We go to our favorite shopping area and encounter a person who is obviously security. All we need is their physical appearance and a view of their demeanor for about five seconds to determine what category they fit. Yet none of us has ever contemplated the reasons why we have these officers in place. 

Often, officers are viewed as a "necessary evil" deployed at the behest of an unknown proprietor who just wants to protect his property. Although, I have met managers and proprietors who treated security as though it was something they didn't want but felt they had to have for whatever reason. This perception of officers then makes its way to officers as well who view themselves as what they portrayed. This leads to a cadre of officers who either don't work to change that perception or who really do personify it to become employed in the field as a refuge.

So how do we change that perception? Well, we need standardization - the ugliest word in security. We need to set clear and concise guidelines as to what constitutes the duties, responsibilities, and authority of officers. Many proprietors and officers have no clue what their job is other than to "protect stuff and stay out of the boss' way". You see this commonly in establishments where officers have a very lackadaisical attitude to situation awareness and who lack a proactive approach to security. They walk around with glazed eyes, reading the latest crossword section, and not paying any attention or having any investment into having a secure environment. Supervisors of these officers are scarcely seen and are often reluctant to dispel the perception as well. Managers, proprietors, and security supervisors should have written guidelines and procedures for officers to study, be knowledgeable about, and follow strictly.  They should also understand what authority they convey over occupants, tenants, and others on the property that extend to trespass warnings or even effecting arrests in some circumstances.

Next, better screening of officers to perform the duties required is needed. Why hire a senior citizen who can barely walk without assistance to patrol a strip mall on foot? You're certainly not deterring crime and are providing a presumably inadequate response element when an incident occurs. This screen should take into account the usual - felonies, misdemeanors, drugs, theft, etc. It should also recognize military and law enforcement service, previous security experience, and expectations for the job. That last item is very critical. When I worked security, I was appalled by the number of people I encountered who saw this as a just another job and not a potential career. Many believed the job was "beneath" them or was too tedious and felt underwhelmed. Managers should hire employees who see security as being an integral part of how companies protect their assets and their customers and who don't see the job in the same light as they do cooking burgers at a chain-restaurant. 

We also need to change how proprietors view the profession. Some see those who do the jobs as something anyone can do. There is perhaps nothing that caused me more frustration than this attitude. Many times working security can be very hazardous and life-ending. My nights were often filled with "shots fired" calls and armed assailants. I was surrounded by drug dealers and other nefarious people daily. I had to learn a second language just to be able to do my job. I had to train in non-lethal techniques, hand-to-hand combat, marksmanship, first aid, and fire suppression. Tell me again how anyone can do this job.

Don't get me wrong. I realize not all companies or proprietors are like this. There are  many who screen their officers, who deploy them with the expectation they will be utilized fully, and properly supervise them. There are some, though, who perpetuate the stereotype of "flashlight cops" by employing officers who conduct their duties in that manner. There are also proprietors who contract these companies because they are often the cheapest. This does little to provide meaningful protection nor does it provide an accurate portrayal of how professional officers conduct themselves. Many would say the easiest way to change this is with effective national legislation or at the very least legislation in states who have none for officers. Some states don't even make it a requirement to have officers be licensed. Having worked in a state that does, I can't imagine doing it without one let alone hiring a company that wasn't. 

Nothing is perhaps more telling than the hazards officers face in this line of work. Take a look at these statistics from Private Officer International from 2011:

• Injuries and assaults saw a 17 percent increase over 2011.
• There were 112 on-duty deaths.
• 103 killed were male; nine were female.
• The media age of those killed was 46 years old; the youngest was 19.
• The top three places officers were killed were: nightclubs, residential areas, and retail centers.
• The top three places officers were assaulted were: retail centers, nightclubs, and hospitals.
• Top three causes of death were gunshots (65), trauma (14), and stabbing (9).
• There were four on-duty confirmed suicides

What I've outlined is a comprehensive plan to standardize, professionalize, and enhance the job of asset protection.  The American Society for Industrial Security is at the forefront of this. They have published a guideline that is a standard-bearer in some organizations. We can no longer accept the mantra that those who work on the frontlines of crime are mere "rent-a-cops". If there is one thing we've learned in recent years, more and more officers are making the ultimate sacrifice. The shameful part of all of it is not their deaths but our apathy towards recognizing the distinct professionalism required to do this job.

VIDEO: Kenyan Presidential Security

While reviewing the latest YouTube videos on security, I came across the video above. If you're not aware, Kenya recently held its presidential elections where Uhuru Kenyatta was named its fourth president-elect. As is the case in the United States, Kenya's head of state has a protection detail.

Here's what I gleaned from the video:

1. Kenyans have a different protection mentality than most Westerners which may actually be good. The news anchors were briefly explaining what happens once the election has been certified, when she said "he'll become the 'property of the state'". Additionally, the detail and not the principle control his/her security.
2. While awaiting the election to not be challenged, Uhuru will have a temporary detail and a code name assigned to him much like in the States where the president-elect receives his/her detail as soon he receives his party's nomination.
3. There details seem to be structured somewhat similarly as Western nations. There is an exterior perimeter surrounding the vehicle and an interior as well. The exterior appears to be doing some outward surveillance while the inner perimeter concentrates on the road ahead. They also seem to have control over the reception line as well.

While researching this story, I came across another video which was a bit more telling.

From this video, we can see a few similarities and some differences.

1. Changing radio call signs. No secrets here. Great tactic that is used all over the world.
2. Route clearance. Another great move. Though, I am curious why took this road. Many details would have avoided it for its obvious issues.
3. Open air vehicles should ALWAYS be a no-no.
4. Giving the principle the threat information briefing every night is good. Though, I think this should be something he gets along with his intelligence report first thing in the morning.

The Kenyans are moving in the right direction towards VIP security. There were lots of things I like from a protection specialist perspective. And there were things I did not like. Most of the things I did not like are lessons best learned through countless drills and exercises to hone in how vulnerable your principle is. In light of al Shabab's threats and terrorist activities against the Kenyans, it's safe to assume they are working out some of the kinks.

INTERVIEW: Guardly Offers Insight Into Indoor Positioning System and The Future Of Emergency Dispatch

I'm just going to put it out there. I love Guardly. After writing my last piece on the public safety mobile app, I decided to subscribe to the service. And to be honest, I'm blown away by it's user-friendly GUI, the depth of its coverage, how robust its emergency protocols are, and the overall potential it has for much greater deployment. So last week, when I saw that they developed a new feature for some of their college campus clients, I became quite curious and called Guardly to find out. Here's my interview with Guardly CEO, Joshua Sookman.

Josh, it's great to speak with you again. I love the product and I'm calling to find out about your latest development.

Scriven, it's great to hear from you. Well, we've been developing a new feature called Indoor Positioning System which will relay to emergency contacts and dispatchers where you are in much greater detail. By greater detail, I'm referring to your location inside a building.

Wow. Is that like GPS? If so, that sounds like an incredible development. 

Not quite. So here's how it works. We begin using the features that already exist in your phone to analyze certain data like WiFi connections and various radio frequencies to narrow down where you are.

How does that look to the dispatcher?

It works just like the original display but with added metadata. It can tell the dispatcher if you're in a specific room or the elevator shaft or a stairwell.  We use those radio frequencies and WiFi hotspots to do this. Each location in a building will have a different frequency signature. So that data can point to a specific location in the building. Basically, we want to take what used to be a 2D world and used augmented metadata to depict a 3D environment for the dispatcher. We believe doing this will decrease response times in getting help to you, as so much time is used in the initial moments of an emergency dispatch call to get this information out of the caller. Having that information available immediately, should reduce the time from call to dispatch.

Where is this available and on what platforms?

It's available only to select customers and is available on the Android OS.

So I've made no secret that I love Guardly and I see it as part of a greater movement in emergency management to decrease response times and provide better and more timely information to emergency responders. What are your feelings about such initiatives as Text to 911?

Great question. Honestly, I think it's a great step in the right direction. With it and services like guardly we should lesser response times. Again, the more information you get, no matter how you get it, is absolutely the key. An area of concern for us and those of us in emergency management is the potential for emotional stress and possible PTSD-related issues given the level of information dispatchers could be exposed to. As we expand what is capable from using all of the features mobile phones come with such as video and audio, there is a potential for having too much information exposure for those who may not be accustomed it.  We also believe services like Guardly are an evolution of technologies that have made things more "hyper-local" and personal. We believe, as these technologies grow and evolve, so will services like Guardly and the quality of information available to first responders.

Josh, as always, it has been great talking to you. I look forward to seeing more of what Guardly has in store for the public safety sector.

For more information on Guardly's Indoor Positioning System, see the link below:

https://www.guardly.com/solutions/technology/indoor-positioning-system

To read my review on Guardly, click on the link below.

http://blog.thesecuritydialogue.org/2012/12/review-guardly-will-change-what-you.html

To download Guardly, click here.

Ten of the Craziest Security Awareness Posters (And Yes, I Made a Few Of Them Myself)

Today, on Twitter, I've been linking various security awareness posters. While many of these posters are very creative, they do send very ominous messages regarding the consequences of security violations. Because they tend to be overly dramatic and are seemingly outdated at times, they provide for a good chuckle every now and then.  I've even included some I made when I was a young security manager in the Air Force for good measure.  Enjoy.

INFOGRAPHIC: 5 of the World's Most Secure Vaults & Bunkers

HOT: Real-time US Drone Strikes in Pakistan (You Should Bookmark This)

Real-Time U.S. Drone Strikes in Pakistan infographic by hrwgc.

I found this "gem" on a site called visual.ly which hosts a variety of infographics. The data was compiled fromdata from The Bureau of Investigative Journalism which "provides a live-updated database of U.S. covert drone strikes in Pakistan. There are other sources for this information, including New America Foundation and The Long War Journal, each of which has its own advantages and disadvantages." This has been the best resource thus far in terms of keeping track of drone strikes in Pakistan.

Why should any security professional be concerned with these strikes? These strikes are often done to eliminate "high value targets" (HVTs). It would be prudent for a security professional to understand when and where a strike has occurred in order to prepare for reprisal attacks on any resources deemed important to the United States government. This could also provide needed intelligence on a subject of interests in an environment where you do constant threat intelligence and analysis. It does a great job as well of illustrating the continued and progressive use of "unmanned aerial vehicles" (UAVs). Becoming aware of the technology and its real-world deployments and challenges, could aid a security professional in determining their applicability to their threat landscape. I HIGHLY recommend bookmarking this page for future reference, as the data will change day-by-day.

INTERVIEW: The Coolest Mass Spectrometer At the Airport You Know Nothing About - The Griffin 824

Griffin 824 in operation (Photo FLIR)

Last week, I had the privilege and esteemed honor to interview Garth Patterson from FLIR about a product I’m dying to tell you about – the Griffin 824.  Before I begin, I’d like to remind you I was in military law enforcement/security for 10 years.  However, my knowledge of the science behind the Griffin 824 is cursory at best.  So, I called every person I knew who understood mass spectrometry to give me a brief tutorial.  As you can tell, Garth explained things perfectly.

Garth, can you tell me about your background and the product?  Let’s begin with you and then what it actually does?

Well, I’m the program manager for the Griffin 824.  I previously worked for Griffin before it became a part of FLIR.  The device is a mass spectrometry device which analyzes chemical compounds at the molecular level.  It is used in a variety of field applications ranging from corrections, law enforcement, border crossings, airports, etc. It looks for explosives and narcotic traces from a user-gathered sample.

Wow, that sounds pretty interesting.  How exactly does it do that? *At this point, I’m hoping Garth doesn’t go over my head.*

What happens is the user swipes a surface with a 1-inch paper-like sheet.  The sheet contains a surface area that picks up trace elements from the surface to be examined.  The user then inputs the sample in the Griffin 824 which then inserts the sheet between two stainless steel plates.  The plates are heated to vaporize the sheet and the elements.  The ions are then manipulated using electromagnetic fields and an analysis is conducted using software in the Griffin 824.  The device can differentiate between “junk” and actual compounds.  Something ion scanners previously weren’t so good with. 

How does a user know they have a “hit”?

The machine will display a green light at the initial startup and will then go to yellow when analyzing.  After the analysis is complete, the light will either go green again to signal a negative result or go red to annunciate a positive result.

How long does it take to start up the 824?

It takes approximately 20 minutes. Though, analysis takes about 10 seconds.

Why mass spectrometry?

It’s the standard for quality lab analysis for chemical compounds.  It’s also court-friendly.

So what separates this from the lab?

It can be taken into the field.  Mass spectrometry uses a lot of big expensive equipment in a lab, as is the case with Gas chromatography–mass spectrometry.  Because it’s transportable as a single unit and has many field user-friendly applications, it’s a natural fit for field analysis.

Going over some of the literature, it claims the 824 is equipped for both audio and visual alert cues. 

Yes.  We felt there was a need for operators not to have a loud, audible cue annunciate in front of a subject.

Are there any other applications that set the Griffin 824 apart from other technology?

It’s network addressable.  This means you can presumably plug the 824 into a network and have results shared over a network to a command and control center.  The 824 also has administrative and user profiles for individual operators in addition to a USB report for flash drives.  The screen is also a touch screen.  There is also no carrier gases needed which means no big helium tanks.  The unit is self-contained.  Given its ease of use, it takes a little under a day to train personnel on how to use the 824.

Garth, to say I’m impressed is an understatement.  How long from inception to production?

About 4 years.  We have another mass spectrometer, the Griffin 460 where we received feedback from operators wanting something for field use for narcotics and explosive detection analysis.  We saw the biggest need initially in airports for trace detection.

Garth, thanks so much for taking the time to speak with me.  It was truly an honor.  

For more on the Griffin 824, please click on the links below.

FLIR Griffin 824 web page

FLIR Griffin 824 Datasheet 

FLIR Prison Narcotics Detection - Griffin 824

To see the Griffin 824 in action check out the video below (no audio)

Cyber Defense: The facts associated with the hacker mindset

I made a really awesome contact with Terry Beaver, a cyber security expert to say the least.  During a recent conversation on LinkedIn, he directed me to his blog, Cyber Integrity.  I was immediately impressed by the first article I saw.  I've included the link to the article and his blog throughout so you can check him out.  Terry, thanks again for continuing to push innovation in the cyber security realm.

The facts associated with the hacker mindset:

1. Modern computers are finite state machines – they do not “think.” Hackers are highly intelligent and well skilled at their craft. We must respect that fact.
2. Information is a commodity and tradeable.
3. What man can conceive – man can and will hack
4. Retrofitting security onto existing platforms always fails – not withstanding that most security systems were not designed from the inside out beginning with understanding the hacker culture and methods.
5. Teenagers have far more time and more energy than adults and will focus on what is cool. The good hack is very cool. Bragging rights are cool.
6. While this statement was writing, attack vectors were exploited all over the world.
7. In the commercial world; security is considered not a revenue generator but a revenue drain. In government, it takes second place to red tape. Too many government and business leaders are indifferent to security and at best, it is an afterthought laden with reactive vs. proactive behaviors.
8. Hackers operate under a meritocracy – clue matters more than prestige and points are scored with their peers for successful hacks.
9. Information has a shelf life and is subject to being exploited for hacker benefit.
10. Intellectual property and sensitive data is a means for me to support my lifestyle.

Postulates of a Hacker:

1. Understanding how things work is an advantage over ignorance.
2. Curiosity and ego are more powerful motivators than money.
3. Nationalism is more important to hackers than ‘props’ (AKA don’t hack where you live – PRC is an exception).
4. Not all people are rational, therefore choices are not predictable.
5. Finding flaws and vulnerabilities requires an un-structured approach, out of the box thinking. This is contrary to a U.S. Government cleared engineer who follows structured guidelines.
6. Success is relative to your environment and your alcohol intake or abusive behaviors. Hackers do not follow social norms and are very self centric in behavior. It may not be disciplined but often the “hack” works.
7. There are no borders on the Internet
8. Accountability is an effective “deterrent” against “insecurity” – applies to you, not I. If you fire me up, I will hit (hack) you.

The Hacker’s conclusions:

1. If you turn it on and connect it, they will come – and try and take it.
2. It is curious how very smart and knowledgeable people will beat disciplined trained people and then watch the disciplined ones hide their failures.
3. The hacker mindset is learned by experience, not by rote or title. Our status is measured on our successes, not on your GSA rating or rank.
4. Capture the flag is the best paradigm for understanding security.
5. The race is on to achieve the rapid penetration, not to the organized or disciplined standard or followed policy.
6. Conventional defenses in “cyber” warfare are easily circumvented and those that set conventional policy are the easiest to hack.
7. If someone wants to breach your security seriously or badly enough – they will.
8. The best defense is one that never blinks or sleeps or needs a break, is always on and is real time. Problem is, that is a big challenge for people that have secure benefits, families, run errands for the wife, and go home on holidays and weekends.  Hackers sleep only when they need to.
9. Closing the barn door after the horse is gone does little good – if one program costs hundreds of millions of dollars to create innovation – and the R&D is acquired with very little work and time by an adversary, then the hack has met its goal and the owner of the R&D and his program has been compromised. It isn’t a simple task, for example, to fund and redesign a modern warfighter component that was years in the making once an enemy acquires your design.
10. eCommerce is insecure – but so is regular commerce including banking (lead pipe rule)
11. Advancing and emerging hacker technology always defeats information security policies.
12. Risk analysis matters more than policies and compliance – stopping an attacker in their tracks on the next hack is far more important that compliance.
13. There is no accountability for poor security – only excuses.
14. Competent adversaries exist and are growing in ranks (ATM hacks, Heartland, etc.) Cyber threats are increasing not decreasing.
15. Confidentiality is a function of time and energy.
16. Bureaucracies are threatened by people who want to know how things work and hackers demand the right to know.

Midtown Assassination: Smile! You're on camera.

A young man was brutally murdered in New York City by way of what many in the media and even law enforcement have deemed a "professional hit".  It was called a "professional hit" mainly due to the pre-hit surveillance on the target and the manner of execution.  However, there are some glaring errors I believe will lead to the killer(s) and co-conspirator's capture.  

I'm not sure how much many of you know about the assassination "business".  To say the least, as a lay person myself, I can only guess there would be some rules of the trade.  Let me share a few that I think would be important:

1. Always be aware of your surroundings.  In order to be a successful "hit man", you need to have the element of surprise and concealment.  You need surprise so your target doesn't become alerted to what you're trying to do (i.e. killing them).  If you're a person hired to kill someone, I'm imagining it would be bad for your target to turn around and see you carrying a pistol and getting ready to kill them.  Typically, a "hit man" would need concealment as well so there aren't any potential witnesses who could give away their activity to the target or the authorities.  So can someone explain to me how this "professional" killer didn't take note of the closed circuit television camera and the numerous car a few feet away?  The last thing any "professional" wants is to get caught on tape.  Last I checked, murder for hire is capital offense.
2. Never do a "hit" on a busy street or in plenty of light.  The way most CCTV cameras work is by using ambient and low-level light to illuminate the images they're capturing.  Most burglars know this - thus why they do what they do at night and in low light.  If I'm to believe what my eyes are showing me above, there are several shadows which appear to be pedestrian feet somewhere in the northern quadrant of this photo.  I can also make out the victim and the killer's face.  Again, another huge no-no for any "professional hit man".
3. Never allow your escape to be captured on video or by witnesses.  Witness reports are emerging that people saw the killer do the "hit" and noted a probable get-away vehicle which has since been discovered.  It doesn't take a genius to figure out what's about to happen next if not already.  The vehicle will be inventoried and searched for any evidence to include fingerprints and trace evidence left by the "hit man".  Also, take a few moments and imagine how this could have panned out had some hapless witness saw this and blocked the sedan from leaving.
4. Don't wait at the scene for 30 minutes outside of where you're going to meet the target.  Yup.  That's what this idiot did.  He waited for 30 minutes outside acting very suspicious.  He was seen pacing back and forth by the sedan that was later recovered.  In case you weren't aware, New York is home to some of the most aggressive police in the Western world.  So having a loaded pistol and seen pacing back and forth while waiting for your target is probably not what you want to do.  Below is surveillance footage released by the suspect as he's seen walking and hanging out by his getaway vehicle.  

So what does this mean for those of us in security and law enforcement?

• There is an increased level of violence and brazen violent activity by organized crime and other nefarious organizations that use this methodology.  We need to do a better job of educating and encouraging more citizens to report suspicious activity.  We need more foot patrols in our urban areas.  We need to encourage proactive private security elements to be on the look out for suspicious activity and report it to police as soon as possible.

What this case does demonstrate is a very important lesson for all of us:

• Report any and all suspicious activity.  There is no harm with having a police officer come out and investigate the nature of your suspicion.  That's their job.  No one wants to be a snitch but a man brought a weapon into a neighborhood where anyone could have been a collateral victim.  Having the homicide detectives show up two hours later is not the way to keep your street safe.  Call it in.  If you don't want to get involved and just need to make the initial report so someone will come out, make the call and tell the operator you don't want to give your name.  Explain you'll make a statement if it turns into something where a serious crime has been committed.  Many time the police may not need you to make a statement.  One call to the police could have spared this young man's life.  Now we'll never know.

Why Senator Tom Coburn Is Wrong About Columbus

Pro 3XE Underwater Search and Recovery Vehicle cited in Senator Tom Coburn's report
Credit: http://www.atlantasmarine.com/product/videoray-pro-3-gto

Last week, Senator Tom Coburn released a report criticizing various municipalities and the Department of Homeland Security for spending taxpayer dollars frivolously on various pieces of equipment, training exercises, and conferences.  His report, titled “Safety at Any Price: Assessing the Impact of Homeland Security Spending in US Cities, mentioned several cities including Columbus, Ohio.  I grew up in the Buckeye state for a while. As such, I pay attention to any allegations against our capital city, particularly with respect to homeland security.   So, I read the report and was surprised by its allegations.

On his web site, Senator Coburn states,

"Columbus, OH’s Underwater Robot: Columbus, Ohio recently purchased an “underwater robot” using a $98,000 UASI grant. The robot is mounted with a video providing a full-color display to a vehicle on shore. Officials on the Columbus City Council went so far as to declare the purchase an “emergency,” not because of security needs, but because of “federal grant deadlines.” If the money was not spent quickly, it would have returned to the Treasury. (Pg. 27 & 28 )"

In the report, he goes on further to state,

"The Columbus dive team, however, is responsible only for underwater search and recovery missions – not for rescue missions that may happen during a terror attack.  One of the team’s higher profile missions in recent years was the recovery of a
$2 million “sunken treasure” in the Scioto River."

So, naturally I did my own "investigation" into this allegation made against Columbus and DHS. Here's what I found out:

1. Columbus's police department is solely responsible for search and recovery.  It's in the standard operation procedures.  That much is true.  What his report fails to acknowledge is that after a terror attack the most important job any first responder agency can have is the search for human remains and evidence.  That too is in their SOP.  It states, "Underwater search and recovery operations encompass underwater criminal investigations, the recovery of bodies and property, and other operations, which by their nature fall into the scope of duties and obligations of the Division of Police."  Additionally, the Scioto River is 218 miles long and goes through downtown Columbus.  It also lays along the "approach" for Columbus International Airport.  Any counter-terrorism expert worth his/her salary will tell you this would be a natural place for an attack to occur and for law enforcement to begin search and recovery operations.  Given that debris fields from most major attacks extend for miles, it would be prudent for any law enforcement agency to look for evidence and possible human remains along this river.  My favorite item to back this up came from the FBI dive team site.  Yup.  The FBI says, "Our underwater experts can find clues and map out crime scenes in exactly those places and more...They’ve got some fancy tools and technologies to help them do their jobs: “side-scan sonar” that can detect debris...miniature remote-controlled subs that send real-time color video to the surface for on-the-spot identification and that can make videotapes of underwater searches for future use.  We’ve called on our dive teams many times over the years since the first one was launched in 1982. For example:  When TWA Flight 800 exploded over the Atlantic in 1996, our New York team helped scour a 40-square mile patch of the ocean floor, recovering the remains of all 230 victims and 96 percent of the airplane....Our teams have even traveled overseas to support such investigations as the terrorist attack on the USS Cole."
2. Columbus, Ohio is/was a terrorist target.  Many people don't think of Columbus, Ohio as being of major interest to al Qaeda.  However, in 2004, we learned different.  Nuradin Abdi, a Somali native plotted with three of his friends to attack a Columbus mall. Abdi entered this country with the sole intent to target Americans, after illegally entering in 1999.  In 2002, he along with two friends discussed bombing a mall in Columbus.  Abdi was sentenced to 10 years and was deported back to Somalia in November 2012.  Here's a link to his indictment - http://www.investigativeproject.org/documents/case_docs/85.pdf.  Here's a map of downtown Columbus.  Note it's approximal distance to the airport and the Scioto River:
   View Larger Map
3. The Homeland Security Grant Program (HSGP) this grant is managed states its purpose is "to directly support expanding regional collaboration and is meant to assist participants in their creation of regional systems for prevention, protection, response, and recovery."  Part of any response and recovery effort is search and recovery.  Seriously.  Anyone who took Emergency Management 101 knows that much.  The quicker you get to the bodies and the evidence the sooner you can figure who attacked you and more importantly, how.
4. The New York Police Department has the same robot.  How is it that I'm the only one who caught that?  That's right.  NYPD uses this robot on the missions I described and for bomb detection as well.  Why?  Because they have a river that flows through the heart of their city.  The only exception is the Scioto currently doesn't allow commercial ships due to the 2012 drought.
5. DHS did have a deadline that was approaching and the city council deemed funding was neccessary and determined it an emergency.  Why would call this an emergency?  Because of the ridiculous amount of time it takes for a city to make any purchases on their own.  The city simply didn't have $98k for an underwater robot.  What the report failed to mention was the city had done this numerous other times in an attempt to stockpile on homeland security equipment they felt they needed.  They purchased a similar robot for their fire department.  The exception is the fire department can't use their robot or their divers for recovery of evidence or remains.  This simply is not in their area of operations (AO).

So there you have it.  The truth about Columbus isn't what Senator Coburn made it out to be.  Senator Coburn is trying to bill himself as a good steward of taxpayer money.  While I appreciate his diligence, I am struggling with why he didn't go to these cities himself and ask the same questions I did.  Moreover, why isn't his staff asking these questions instead of producing hilarious cover art for his reports.

Video: The History of Access Control

The history or evolution of access control is congruent with the history of security.  Some would argue that it is the cornerstone of what we think of as being "secure". We have tailored a many of our defenses and detection apparatus towards our entryways first because that's where we feel the threat is more likely to attack us from there.  In most cases this is true.  That being said, there has been an almost comedic approach to how we should conduct access control using technology as an aid.  It seems like security technology researchers work overtime just to find parts on our body to determine where we're most unique to qualify as an "identifier".

This video is an ode to such approaches.  While modern access control technology is effective in certain applications, this video demonstrates how we've gone from being okay with being "secure" to needing to be "mega-secure".  It was made by Peter Lanaris of Lido Distributors, a supplier of HID products, access control accessories and ID badging supplies.

BruceSchneier - The security mirage - TedX_2010 by Елизавета Павлова

The Thriller on the Twitter Has Begun! G4S vs Securitas

Okay, folks.  *cue drum roll*  The Twitter Account Showdown of Top Security Firms for 2012 has begun.  Today, we look at the accounts of G4S and Securitas.  It looks like G4S has muscled its way passed Securitas in almost every category. Until next week.



create infographics with visual.ly

Why It May Be Time For The Pakistani Police To Implement Fitness Standards (and some performance evaluations too)

A Pakistani police (with few extra KGs) pulls security outside a mosque during Eid. twitter.com/combatjourno/s…
— Mustafa Kazemi (@combatjourno) November 28, 2012

I have nothing further to say.....

Government Insecurity: How Many Attack Vectors Do You See?

How many attack vectors do you see on this door? Not surprising, this door is an exterior door outside a government building which does a lot of cash transactions in a high crime area with minimal natural observers and limited lighting. In addition, there were zero cameras. I was able to stand by the door and watch loads of people use this door with the code for entry.  There were several wedge marks on the frame.  Through the window on the door, you can see the cash registers and other sensitive equipment.  What else do you see?

Turkish Airport Security Caught Playing FPS Game On-Duty

First person shooter games are all the rage now and have clearly defined a new era of gaming.  However, as this picture below from Istanbul demonstrates, there is a time and place for everything.  Perhaps, playing Call of Duty, while on-duty as an airport security officer in a major international airport, is neither the time or the place.

(Captured from reddit.com user 26985's post on 1/2/2012)

Pwned: Russian Rocket-maker Guards Caught Sleeping on the Job

Guard management is perhaps the most important entity in any security infrastructure.  If your on-site security personnel are led properly, they are more vigilant and duty-focused.  However, should your guard supervisors fail to properly lead and conduct regular checks on their personnel, inevitably you will find out just how important knowing the difference between leadership and supervision is.

In Russia, Energomash, the rocket manufacturer of the Soyuz capsules, learned this lesson when fellow bloggers  Lana Sator entered their manufacturing plant while guards were sleeping on duty.  As a former supervisor of security personnel, I can attest there is nothing like having a facility penetrated because your responders were asleep.  To make matters worse, Lana and several of her friends made five visits and each time the guards were asleep.  They gained access to several critical manufacturing sections and posted their exploits online.  As you can imagine, Russian defense and space bureaucrats were not happy and are looking at steep punishments for guards and I'm sure, managers.

Here are some pictures from Lana's blog:

The Russians aren't alone.  In 2009, guards from one of the largest guard companies in the world, Wackenhut, were caught dozing off at a nuclear facility.  Check out the video below: